473,325 Members | 2,872 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

pwd's in dbases

Hi all,

What is the best way to store a pwd into a dbase? I guess it is hashing it.
Read a lot regarding this issue to use md5 for it, but can i use AES for it
also? And what is that salt thing doing? And then, there is more, What is
the best way to request a login and pwd from a user (client level) without
using https or ntlm or something like that, just a clean html / asp thing.

John


Jul 19 '05 #1
3 1127
It depends on the implementation.

For ultimate security, encrypt with a one-way function. You then encrypt
prior to checking if the login is correct. In this system, a new PWD has to
be generated if the user loses it, as PWDs are not crackable (at least in
theory). I have seen systems that used a one-way hash, but these are not
really one way. PVCS used (may still use) a simple hex generator that threw
off the ASCII code according to a simple algorithm. Rather easy to crack for
anyone with a few minutes of time and an understanding of security. This is
not a good method for a really secure system, but most systems are not
otherwise set up to prevent internal hacking anyway. The hash will stop the
casual looker, while the encrypt will help even more.

NOTE: There are more prudent methods to secure databases, like eliminating
direct table access and forcing access via stored procedures.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************
Think Outside the Box!
************************************************
"John" <fa***@facke.null> wrote in message
news:40**********************@news.skynet.be...
Hi all,

What is the best way to store a pwd into a dbase? I guess it is hashing it. Read a lot regarding this issue to use md5 for it, but can i use AES for it also? And what is that salt thing doing? And then, there is more, What is
the best way to request a login and pwd from a user (client level) without
using https or ntlm or something like that, just a clean html / asp thing.

John

Jul 19 '05 #2
On Thu, 15 Jul 2004 12:11:19 +0200, "John" <fa***@facke.null> wrote:
What is the best way to store a pwd into a dbase? I guess it is hashing it.
Read a lot regarding this issue to use md5 for it, but can i use AES for it
also? And what is that salt thing doing?
All these are great, though some may be trivial to break. The real
security comes from not allowing access to the table the passwords are
stored in.
And then, there is more, What is
the best way to request a login and pwd from a user (client level) without
using https or ntlm or something like that, just a clean html / asp thing.


Use a simple form if that's all you need. SSL would help, and an
ActiveX that encoded the password on the client may add security, but
just a basci login form is pretty simple.

Jeff
Jul 19 '05 #3
*Never* store the password in unencrypted form.

always use some asp to encrypt using a shared key and store that. then when
they log in or whatever, you encrypt what they type (as a pwd) and compare
that with the stored encrypted - this means that even a symmetrical
encryption like RC4 can be made single ended...

You still have a (tenuous-ish) security prob if someone is sniffing packets
or you have been duped into a redirect and you aren't using HTTPS or similar
as the unecrypted pwd must be posted into the processing asp etc...
"John" <fa***@facke.null> wrote in message
news:40**********************@news.skynet.be...
Hi all,

What is the best way to store a pwd into a dbase? I guess it is hashing it. Read a lot regarding this issue to use md5 for it, but can i use AES for it also? And what is that salt thing doing? And then, there is more, What is
the best way to request a login and pwd from a user (client level) without
using https or ntlm or something like that, just a clean html / asp thing.

John

Jul 19 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Luis Esteban Valencia | last post by:
Compilation Error Description: An error occurred during the compilation of a resource required to service this request. Please review the following specific error details and modify your source...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.